GET /cspm/finding_changes
This API returns information on new, resolved, or modified findings detected within a specified date range on the scan accounts in your company.
Request
Format
GET /cspm/finding_changes?from_date=<string>&to_date=<string>&type=<enum>&severities=<string>&scans=<string>&scan_groups=<string>&rules=<string>&resources=<string>&system_compliance=<string>&page_limit=<integer>&page_cursor=<string>
Parameters
Parameter | Type | Optional | Description |
|---|---|---|---|
| Enum | No | The category of the finding change. Possible values: |
| String | No | The start date and time of the request interval, in ISO 8601 format. The |
| String | Yes | The end date and time of the request interval, in ISO 8601 format. If you do not include this parameter in the request, the current date and time are used by default. |
| Array of strings | Yes | Only return information for findings with the specified severity levels. You can enter multiple comma-separated values. Possible values: |
| Array of strings | Yes | Only return information for the specified scan account IDs. You can enter multiple comma-separated values. |
| Array of strings | Yes | Only return information for the specified scan group IDs. You can enter multiple comma-separated values. |
| Array of strings | Yes | Only return results associated with the specified rule IDs. You can enter multiple comma-separated values. |
| Array of strings | Yes | Only return results that involve the specified resource IDs. You can enter multiple comma-separated values. |
| Array of strings | Yes | Only return results associated with the specified compliance standard IDs. You can enter multiple comma-separated values. |
| Integer | Yes | Return a paginated response, with the maximum number of results per page limited to the specified value. |
Examples
Return new findings of critical and high severity for the interval between March 24, 2026, 16:00:00 UTC, and March 29, 2026, 15:59:59 UTC:
GET /cspm/finding_changes?type=new&from_date=2026-03-24T16:00:00.000Z&to_date=2026-03-29T15:59:59.000Z&severities=critical,high
Return resolved findings associated with rule ID da7ada11-db7c-40e2-ab06-8b3f37d52b93 for the interval between April 10, 2026, and April 28, 2026:
GET /cspm/finding_changes?type=resolved&from_date=2026-04-10&to_date=2026-04-28&rules=da7ada11-db7c-40e2-ab06-8b3f37d52b93
Response
Format
{
"data": [
{
"id": "string",
"type": "finding_change",
"attributes": {
"title": "IAM policies attached to IAM users",
"description": "One or more IAM policies are attached to IAM users.\n\nYou manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not to users.",
"resource_region": "global",
"resource_id": "string",
"resource_name": "string",
"resource_type": "IAM User",
"change_type": "new",
"change_reason": "first_seen",
"changed_at": "2026-04-25T02:29:31+00:00",
"change_result": "fail",
"change_severity": "low",
"change_status": "open",
"previous_result": null,
"previous_severity": null,
"previous_status": null,
"original_severity": "low",
"scan_name": "string",
"scan_group_name": "string"
},
"relationships": {
"check": {
"data": {
"id": "string",
"type": "check"
}
},
"scan": {
"data": {
"id": "string",
"type": "scan"
}
},
"scan_group": {
"data": {
"id": "string",
"type": "scan_group"
}
},
"rule": {
"data": {
"id": "string",
"type": "rule"
}
}
}
},
{
...
}
],
"links": {
"self": "string",
"next": "string"
},
"meta": {
"total": 367,
"elapsed": 300
}
}Attributes
This endpoint returns an object containing multiple attributes:
Attribute | Type | Description |
|---|---|---|
| Array of objects | Data on the finding changes, with one object corresponding to each change. |
| String | The ID of the change. |
| String | The type of entity described by the object. For this endpoint, the value is always |
| Object | Provides information on the finding change. |
| String | The title of the finding. |
| String | The description of the finding. |
| String | The region where the affected resource is located. |
| String | The ID of the affected resource. |
| String | The name of the affected resource. |
| String | The type of the affected resource. |
| String | The type of finding change. Possible values: |
| String | The reason for the finding change. Possible values:
|
| String | Date and time when the finding change occurred, in ISO 8601 format. |
| String | Last scan result associated with the finding within the requested time interval. Possible values: |
| String | Last severity level associated with the finding within the requested time interval. Possible values: |
| String | Last status of the finding within the requested time interval. Possible values: |
| String | Scan result previously associated with the finding. Possible values: |
| String | Severity level previously associated with the finding. Possible values: |
| String | Previous status of the finding. Possible values: |
| String | Severity level originally associated with the finding. Possible values: |
| String | The name of the scan account that was scanned. |
| String | The name of the scan group to which the scan account that was scanned belongs. |
| Object | Entities related to the finding. |
| Object | Information on the related check. |
| Object | Data on the related check. |
| String | ID of the related check. |
| String | The type of the related entity. Possible value: |
| Object | Information on the related scan. |
| Object | Data on the related scan. |
| String | ID of the related scan. |
| String | The type of the related entity. Possible value: |
| Object | Information on the related scan group. |
| Object | Data on the related scan group. |
| String | ID of the related scan group. |
| String | The type of the related entity. Possible value: |
| Object | Information on the related rule. |
| Object | Data on the related rule. |
| String | ID of the related rule. |
| String | The type of the related entity. Possible value: |
| Object | Provides request URLs for returning the current and next page of results, in the case of a paginated response. |
| String | Request URL for the current page of the response. |
| String | Request URL for the next page of the response. If the response is not paginated, the value is |
| Object | Provides information on the number of results. |
| Integer | The total number of results for your request. |
| Integer | The aggregated number of results for the response pages returned so far. |
Examples
Information was requested on new findings of critical and high severity for the interval between March 24, 2026, 16:00:00 UTC, and March 29, 2026, 15:59:59 UTC:
{
"data": [
{
"id": "522ae98c-71b5-4c0c-92e3-7b7716******",
"type": "finding_change",
"attributes": {
"title": "IAM user access key not rotated every 180 days",
"description": "One or more access keys belonging to IAM users have not been rotated for at least 180 days.\n\nAn IAM user is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign in to the AWS Management Console, and up to two access keys that can be used with the API or CLI. When you create an IAM user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user. You can also clone the permissions of an existing IAM user, which automatically makes the new user a member of the same groups and attaches the same policies to it.\n\nAccess keys are long-term credentials for an IAM user or the AWS account root user.\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services.\n\nAs a security best practice, we recommend that you regularly rotate (change) IAM user access keys. If your administrator granted you the necessary permissions, you can rotate your own access keys.",
"resource_region": "global",
"resource_id": "arn:aws:iam::829960******:user/******-test",
"resource_name": "******-test",
"resource_type": "IAM User",
"change_type": "new",
"change_reason": "pass_to_fail",
"changed_at": "2026-03-26T05:48:12+00:00",
"change_result": "fail",
"change_severity": "high",
"change_status": "open",
"previous_result": "pass",
"previous_severity": null,
"previous_status": null,
"original_severity": "high",
"scan_name": "****** Test Apr 29",
"scan_group_name": "****** Dev/Test"
},
"relationships": {
"check": {
"data": {
"id": "3cffc0e8-661f-4b20-b0dc-32d1bb******",
"type": "check"
}
},
"scan": {
"data": {
"id": "01c3d68d-a4fc-4417-a802-c3275f******",
"type": "scan"
}
},
"scan_group": {
"data": {
"id": "66bfb3c3-1c93-4fa1-ab02-23b5ce******",
"type": "scan_group"
}
},
"rule": {
"data": {
"id": "384e6781-e9c8-4aa2-9e8e-5306f1******",
"type": "rule"
}
}
}
},
{
"id": "863c132e-00d9-40ab-be45-269d8b******",
"type": "finding_change",
"attributes": {
"title": "S3 bucket not configured to block public access",
"description": "Your AWS account has S3 buckets that are not configured to block public access.\n\nThe Block Public Access S3 feature provides settings for access points, buckets, and accounts, to help manage public access to S3 resources. By default, buckets, access points and objects do not allow public access. You can modify bucket policies, access point policies or object permissions to allow public access. S3 Block Public Access settings override such policies and permissions, enabling you to limit public access to these resources. S3 Block Public Access enforces the following:\n\n`BlockPublicAcls`\n- PUT Bucket ACL and PUT Object ACL calls fail if the access control list is public.\n- PUT Object calls fail if the request includes a public ACL.\n- If this setting is applied to an account, PUT Bucket calls fail if the request includes a public ACL.\n\n`IgnorePublicAcls`\n- Causes S3 to ignore all public ACLs on a bucket and any objects that it contains. This setting enables you to safely block public access granted by ACLs while still allowing PUT Object calls that include a public ACL.\n\n`BlockPublicPolicy`\n- Causes S3 to reject PUT Bucket Policy calls if the specified bucket policy allows public access, and to reject PUT Access Point Policy calls for all the bucket's access points if the specified policy allows public access.\n\n`RestrictPublicBuckets`\n- Restricts access to an access point or bucket with a public policy to only AWS service principals and authorized users within the bucket owner's account. This setting blocks all cross-account access to the access point or bucket, while still allowing users within the account to manage the access point or bucket.\n\nThe current rule checks if all 4 settings are set to `true`.",
"resource_region": "global",
"resource_id": "arn:aws:s3:::******1",
"resource_name": "******1",
"resource_type": "S3 Bucket",
"change_type": "new",
"change_reason": "pass_to_fail",
"changed_at": "2026-03-25T05:36:30+00:00",
"change_result": "fail",
"change_severity": "high",
"change_status": "open",
"previous_result": "pass",
"previous_severity": null,
"previous_status": null,
"original_severity": "high",
"scan_name": "****** Test Apr 29",
"scan_group_name": "****** Dev/Test"
},
"relationships": {
"check": {
"data": {
"id": "221b7f85-6f7e-4408-8bb7-3e61e8******",
"type": "check"
}
},
"scan": {
"data": {
"id": "01c3d68d-a4fc-4417-a802-c3275f******",
"type": "scan"
}
},
"scan_group": {
"data": {
"id": "66bfb3c3-1c93-4fa1-ab02-23b5ce******",
"type": "scan_group"
}
},
"rule": {
"data": {
"id": "e7789020-f963-4f8c-81b2-895c53******",
"type": "rule"
}
}
}
},
{
...
}
],
"links": {
"self": "https://******.com/prod//v1/cspm/finding_changes?from_date=2026-03-24T16%3A00%3A00&to_date=2026-03-29T15%3A59%3A59&type=new&severities=high%2Ccritical&page_limit=300",
"next": "https://******.com/prod//v1/cspm/finding_changes?from_date=2026-03-24T16%3A00%3A00&to_date=2026-03-29T15%3A59%3A59&type=new&severities=high%2Ccritical&page_cursor=eyJ0b3RhbCI6IDYzLCAiZWxhcHNlZCI6IDQwLCAibm9fbGF0ZXJfdGhhbiI6ICIyMDI2LTA0LTMwVDA4OjM4OjUwLjE2NjA5NCIsICJuZXh0X2JlZ2luX3VpZCI6IG******&page_limit=300"
},
"meta": {
"total": 363,
"elapsed": 300
}
}Information was requested on resolved findings associated with rule ID da7ada11-db7c-40e2-ab06-8b3f37****** for the interval between April 10, 2026, and April 28, 2026:
{
"data": [
{
"id": "95275c97-abe4-4419-99ee-b7c1b1******",
"type": "finding_change",
"attributes": {
"title": "IAM credentials unused for 90 days",
"description": "One or more AWS accounts contain IAM users whose credentials have not been used for at least 90 days.\n\nAn AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.\n\nYou can access AWS in different ways depending on the user credentials:\n- Console password: A password that the user can enter to sign in to interactive sessions such as the AWS Management Console.\n- Access keys: A combination of an access key ID and a secret access key. You can assign two to a user at a time. You can use access keys to make programmatic calls to AWS. For example, you can use access keys when using the API for code or at a command prompt when using the AWS CLI or the AWS PowerShell tools.\n\nAn IAM user is considered to have unused credentials if they have a console password that has not been used or changed in 90 days, or active access keys that have not been used or rotated in 90 days.",
"resource_region": "global",
"resource_id": "arn:aws:iam::829960******:user/******-test",
"resource_name": "******-test",
"resource_type": "IAM User",
"change_type": "resolved",
"change_reason": "fail_to_pass",
"changed_at": "2026-04-17T11:29:24+00:00",
"change_result": "pass",
"change_severity": null,
"change_status": null,
"previous_result": "fail",
"previous_severity": "medium",
"previous_status": "open",
"original_severity": "medium",
"scan_name": "******-aws-test",
"scan_group_name": "******-aws-test"
},
"relationships": {
"check": {
"data": {
"id": "d2ab3cc4-3e17-4063-9187-ed3b47******",
"type": "check"
}
},
"scan": {
"data": {
"id": "5322a8a2-8250-4c8b-a3f1-734c18******",
"type": "scan"
}
},
"scan_group": {
"data": {
"id": "81c72aeb-b167-4bbd-ba1d-31c1f9******",
"type": "scan_group"
}
},
"rule": {
"data": {
"id": "da7ada11-db7c-40e2-ab06-8b3f37******",
"type": "rule"
}
}
}
},
{
"id": "9f29e347-2ee9-4270-bdb3-590f4e******",
"type": "finding_change",
"attributes": {
"title": "IAM credentials unused for 90 days",
"description": "One or more AWS accounts contain IAM users whose credentials have not been used for at least 90 days.\n\nAn AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.\n\nYou can access AWS in different ways depending on the user credentials:\n- Console password: A password that the user can enter to sign in to interactive sessions such as the AWS Management Console.\n- Access keys: A combination of an access key ID and a secret access key. You can assign two to a user at a time. You can use access keys to make programmatic calls to AWS. For example, you can use access keys when using the API for code or at a command prompt when using the AWS CLI or the AWS PowerShell tools.\n\nAn IAM user is considered to have unused credentials if they have a console password that has not been used or changed in 90 days, or active access keys that have not been used or rotated in 90 days.",
"resource_region": "global",
"resource_id": "arn:aws:iam::829960******:user/******-test",
"resource_name": "******-test",
"resource_type": "IAM User",
"change_type": "resolved",
"change_reason": "disappeared",
"changed_at": "2026-04-17T11:29:24+00:00",
"change_result": null,
"change_severity": null,
"change_status": null,
"previous_result": "fail",
"previous_severity": "medium",
"previous_status": "open",
"original_severity": "medium",
"scan_name": "******-aws-test",
"scan_group_name": "******-aws-test"
},
"relationships": {
"check": {
"data": {
"id": "8e353aed-02f1-4fb4-a4bc-ee5639******",
"type": "check"
}
},
"scan": {
"data": {
"id": "5322a8a2-8250-4c8b-a3f1-734c18******",
"type": "scan"
}
},
"scan_group": {
"data": {
"id": "81c72aeb-b167-4bbd-ba1d-31c1f9******",
"type": "scan_group"
}
},
"rule": {
"data": {
"id": "da7ada11-db7c-40e2-ab06-8b3f37******",
"type": "rule"
}
}
}
},
{
...
}
],
"links": {
"self": "https://******.com/prod//v1/cspm/finding_changes?from_date=2026-04-10T00%3A00%3A00&to_date=2026-04-28T00%3A00%3A00&type=resolved&rules=da7ada11-db7c-40e2-ab06-8b3f37d52b93%2C45f90d63-bd45-4055-9bbb-2066dd668706&page_limit=300",
"next": null
},
"meta": {
"total": 32,
"elapsed": 32
}
}